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A CERTIFICATION METHOD 



The present invention relates to a certification method and system. The present invention 
particularly, but not exclusively, relates to public key cryptography and a process for the issuing 
5 of digital certificates to bind a person's identity to a particular public key. 

The basis of public key cryptography is the generation of a public and private key pair 
for use in the encryption and decryption, and signing and verifying, of information transmitted 
over public access communication lines. Key pairs are mathematically related, but it is not 
10 practically feasible to derive a private key from its corresponding public key. A person may 
openly distribute the public key but the person must keep secret the private key. Anyone wishing 
to send information to a person encrypts the information using that person's public key. The 
recipient, being the sole possessor of the corresponding private key, is the only person who can 
decrypt that information. 

15 

For a number of electronic commerce applications, a trusted third party, known as a 
Certification Authority (CA), is needed to bind a person's identity or information, such as 
privileges, memberships, account numbers, etc., to their public key. The CA issues a digital 
certificate, which is essentially a form of electronic identification that binds two or more pieces 
20 of information, such as the identity of the person and a particular public key. Throughout the 
specification a reference to person is intended to include a reference to an organisation or 
individual. 

The process of binding a public key to a person must be secure so that the CA can issue 
25 a digital certificate and be accordingly held responsible for it. At present, there is a weakness 
in certification processes used by CAs. Once the CA receives the public key generated by a 
person's equipment, together with other data concerning the person, a registrar of the CA 
contacts the person, or vice versa, to correctly identify them with reference to the person's 
identifying or personal data that has been provided. This is normally done by having the 
30 contacted person repeat to the registrar personal details, such as mothers' maiden names and 
drivers' licence numbers. This identifying information however is only related to the identifying 
or personal data submitted by the person and does not relate whatsoever to the public key which 
is used for all future communications. The public key can therefore become separated from the 
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person's data held by the CA or substituted and there is currently no method of relating the 
public key to the person other than by storing it with the person's data. It is desired to overcome 
this problem or at least provide a useful alternative. 

5 The present invention provides a certification method, including: 

receiving a public key of a public/private key pair generated by a system of a person; 
processing said public key to generate a communicable code representative of said public 

key; 

identifying said person, said identifying including having said person convey said 
1 0 communicable code; and 

generating a digital certificate, said certificate including said public key. 

The present invention also provides a certification system, including: 
means for receiving a public key of a public/private key pair generated by a system of 
15 a person; 

means for processing said public key to generate a communicable code representative 
of said public key; and 

means for generating a digital certificate after identifying said person, said identifying 
including having said person convey said communicable code, and said certificate including said 
20 public key. 

The present invention also provides a certification program stored on computer readable 
storage media, including: 

code for receiving a public key of a public/private key pair generated by a system of a 

25 person; 

code for processing said public key to generate a communicable code representative of 
said public key; and 

code for generating a digital certificate after identifying said person, said identifying 
including having said person convey said communicable code, and said certificate including said 
30 public key. 

The present invention also provides an identification process, including: 

receiving a public key of a public/private key pair and identifying information of a 
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person; 

deriving a communicable code from said public key; and 
having said person convey said communicable code. 

5 The present invention also provides an identification process, including: 

generating a communicable code from a public key of a public/private key pair; and 
binding said public key to identifying information of a person when said person conveys 
said communicable code. 

10 A preferred embodiment of the present invention is hereinafter described, by way of 

example only, with reference to the accompanying drawings, in which: 

Figure 1 is a block diagram of a preferred embodiment of a certification system; and 
Figure 2 is a flowchart of steps executed by the system. 

1 5 Referring to Figure 1 , there is shown a person 20 who can interact with a telephone 42 

or the person's computer system 32. The computer system 32 can communicate with a 
certification computer system 30 of a Certification Authority (CA), or a registrar acting for or 
on behalf of the CA, via a communications channel 60. A registrar 10 of the CA interacts with 
the certification system 30 and a telephone 40 to communicate with and confirm the identity of 

20 the person 20. The registrar 10 and the person communicate verbally over a communications 
channel 62 connecting the telephones 40, 42. The computer systems 30, 32 may communicate 
with each other independently or on instructions from the registrar 1 0 or person 20, respectively. 
The communications channels 60, 62 may be constituted by any voice or data transmission 
media. For example, the communications channel 60 may be a TCP/IP link. 

25 

Referring to Figure 2, a person wishing to obtain a certificate from the CA would visit 
the CA web site 100 using the person's computer system 32. This is the first step in the process 
of obtaining a certificate and is one way by which the person may perform the second step of 
filling out the registration form 110 and sending it to the CA over the communications channel 
30 60. The registration form captures personal or identifying information about the person which 
could be used to confirm the identity of that person over the telephone. Once the person fills out 
and sends the registration form 110, the person is not aware of the subsequent steps in the 
process until he or she receives a registration ID, at step 210, in the form of a communicable 
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code. The intervening parts 120 to 200 of the process are conducted by the computer systems 
30, 32 automatically. 

The computer system 30 of the CA receives and processes the submitted registration 
5 form at step 120 and sends an instruction to generate the public/private key pair 130 to the 
computer system 32 of the person. The received registration information may be stored in a 
database at this point or may be stored once the person's public key is received and the 
corresponding alphanumeric code is generated together with that information. Once the 
computer system 32 has received the instruction to generate a public/private key pair, it 

10 generates, according to algorithms commonly used by browser applications, such as Netscape 
Navigator or Microsoft Internet Explorer, a public/private key pair at step 140. The private key 
is kept securely by the person in the memory of the computer system 32 or another data storage 
medium, while the public key may be used by anyone wishing to send information to the person. 
The person's computer system 32 sends the public key 150 to the computer system 30 of the 

1 5 CA. Once the computer system 30 receives the public key it generates the communicable code, 
at step 180. The public key is represented as a value of the Abstract Syntax Notation No. 1 
(described in ASN.l by ITU) data type SubjectPublicKeylnfo (defined in standard X.509 by 
ITU), encoded according to the distinguished encoding rules (DER by ITU) and passed through 
a secure one-way hash algorithm such as SHA-1 (defined in the U.S. Government Federal 

20 Information Processing Standard (FEPS) 180-1). The output of the hash algorithm is truncated 
to 40 bits and converted to 8 base-32 characters. The numerals and upper case letters (excluding 
'0% 6 T , 'O 5 and T to avoid confusion) are used as the base-32 character set. For example, the 
code may be 8JQ3 UEB5. The code is communicable, to the extent that it is sensibly 
communicable by the person to the registrar on the communications channel 62, which may 

25 include a telephone call or facsimile message. The public key is not sensibly communicable on 
an identification channel 62 as it is a large mathematical quantity typically consisting of 
hundreds of decimal digits. The information on the person generated and received is then stored 
in a database, at step 190, by the CA. 

30 The communicable alphanumeric code is sent to the person as a registration ID, at step 

200. The person will probably not know that the registration ID is, in fact, derived from the 
public key generated by the person's computer system 32. At some time after the person 
receives the registration ID 210, he or she establishes telephone communication with the 
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registrar of the CA and provides the registrar with relevant person identification information, 
at step 220. The registrar confirms the relevant information 230 and requests the person to say 
the registration ID 240. Once the person provides the registration ID 250 to the registrar, the CA 
has a public key from computer system 30 and a confirmed identity and communicable code 
5 from the registrar. The CA compares, at step 260, the code to a value recalculated from the 
public key using the secure hash algorithm and, if they match, issues a digital certificate that 
lists the public key and confirmed identity 270. The digital certificate thereby incorporates the 
public key and the confirmed identity data and is signed by the CAs private key. The certificate 
may be sent, at step 280, to the person and stored, at step 290, on their hard drive, floppy disk, 
1 0 smart card, etc. and/or the certificate may be published in another system, such as electronic 
white pages. 

As the alphanumeric code used in the identification process is derived directly from the 
public key, the CA can ensure the identification information confirmed by the registrar and the 
15 public key are bound as a pair, which ensures the digital certificate contains the correct 
information. 

The steps of the certification process described above which are executed on the 
computer systems 30 and 32 are preferably executed by, or under the control of, computer 
20 programs resident on the respective systems 30 and 32. The steps may also be wholly or partly 
executed by dedicated hardware included in the systems, such as application specific integrated 
circuits (ASICs). The systems 30 and 32 may comprise single systems in one location or may 
comprise distributed systems with their software and hardware components in different 
locations. 

25 

Many modifications will be apparent to those skilled in the art without departing from 
the scope of the present invention as herein described. For example, the person 20 being 
identified may be aware that the registration ID is a summary of the public key. Their system 
32 could be used to generate the alphanumeric code, which acts as a key summary, and the 
30 person can then convey the code with the identifying information which is to be bound to the 
public key. Also when the registrar identifies the person and has the person convey the 
communicable code, a number of techniques could be employed to initiate or achieve this. For 
example, the registrar may phone the person, the person may phone the registrar, as discussed 
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above, or the person can physically visit, fax or send mail to the registrar, and/or vice versa. 



5 
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CLAIMS: 

1 . A certification method, including: 

receiving a public key of a public/private key pair generated by a system of a person; 
5 processing said public key to generate a communicable code representative of said public 

key; 

identifying said person, said identifying including having said person convey said 
communicable code; and 

generating a digital certificate, said certificate including said public key. 

10 

2 . A certification method as claimed in claim 1 9 wherein said identifying includes verifying 
identification information of said person, and said certificate binds said identifying information 
and said public key. 

15 3. A certification method as claimed in claim 2, wherein said communicable code is a 
limited character string. 

4. A certification method as claimed in claim 3, wherein said communicable code is 
generated using a secure one-way hash function. 

20 

5. A certification method as claimed in claim 1, including requesting generation of the 
public/private key pair by the system of the person, in response to receiving a registration 
request from the person* 

25 6. A certification method as claimed in claim 5, wherein said registration request includes 
said identifying information for said person. 

7. A certification method as claimed in claim 1 , wherein said identifying includes matching 
a communicable code generated from said public key with the communicable code conveyed 

30 by said person. 

8. A certification method as claimed in claim 1, including sending said digital certificate 
to said system of said person. 
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9. A certification method as claimed in claim 1, including sending said code to said system 
for said person. 

10. A certification method as claimed in claim 9, wherein said sending includes transmitting 
5 display data to said system for display of said communicable code by said system. 

11. A certification method as claimed in claim 1 , wherein said processing of said public key 
is executed by said system of said person. 

10 12. A certification method as claimed in claim 1, wherein said conveying involves oral 
communication of said communicable code. 

13, A certification method as claimed in claim 12, wherein the oral communication occurs 
during a telecommunications call. 

15 

14. A certification system, including: 

means for receiving a public key of a public/private key pair generated by a system of 
a person; 

means for processing said public key to generate a communicable code representative 
20 of said public key; and 

means for generating a digital certificate after identifying said person, said identifying 
including having said person convey said communicable code, and said certificate including said 
public key. 

2515. A certification system as claimed in claim 1 4, wherein said identifying includes verifying 
identification information of said person, and said certificate binds said identifying information 
and said public key. 

16. A certification system as claimed in claim 15, wherein said communicable code is a 
30 limited character string. 

17, A certification system as claimed in claim 16, wherein said communicable code is 
generated using a secure one-way hash function. 
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18. A certification system as claimed in claim 14, including means for sending said code to 
said system for said person. 

19. A certification system as claimed in claim 1 4, including means for requesting generation 
5 of the public/private key pair by the system of the person, in response to receiving a registration 

request from the person. 

20. A certification system as claimed in claim 19, wherein said registration request includes 
said identifying information for said person. 

10 

21. A certification system as claimed in claim 14, wherein said identifying includes 
matching a communicable code generated from said public key with the communicable code 
conveyed by said person. 

15 22. A certification system as claimed in claim 14, including means for sending said digital 
certificate to said system of said person. 

23 . A certification system as claimed in claim 18, wherein said means for sending transmits 
display data to said system for display of said communicable code by said system. 

20 

24. A certification system as claimed in claim 14, wherein said conveying involves oral 
communication of said communicable code. 

25. A certification system as claimed in claim 24, wherein the oral communication occurs 
25 during a telecommunications call. 

26. A certification system as claimed in claim 14, including means for executing said 
identifying. 

30 27. A certification program stored on computer readable storage media, including: 

code for receiving a public key of a public/private key pair generated by a system of a 

person; 

code for processing said public key to generate a communicable code representative of 
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said public key; and 

code for generating a digital certificate after identifying said person, said identifying 
including having said person convey said communicable code, and said certificate including said 
public key. 

5 

28. A certification program as claimed in claim 27, wherein said identifying includes 
verifying identification information of said person, and said certificate binds said identifying 
information and said public key. 

1 0 29. A certification program as claimed in claim 28, wherein said communicable code is a 
limited character string. 

30. A certification program as claimed in claim 29, wherein said communicable code is 
generated using a secure one-way hash function. 

15 

31. A certification program as claimed in claim 27, including code for sending said code to 
said system for said person. 

32 . A certification program as claimed in claim 27, including code for requesting generation 
20 of the public/private key pair by the system of the person, in response to receiving a registration 

request from the person. 

33. A certification program as claimed in claim 32, wherein said registration request 
includes said identifying information for said person. 

25 

34. A certification program as claimed in claim 27, wherein said identifying includes 
matching a communicable code generated from said public key with the communicable code 
conveyed by said person. 

30 35. A certification program as claimed in claim 27, including code for sending said digital 
certificate to said system of said person. 

36. A certification program as claimed in claim 31, wherein said code for sending transmits 
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display data to said system for display of said communicable code by said system. 

37. A certification program as claimed in claim 27, wherein said conveying involves oral 
communication of said communicable code. 

5 . 

38. A certification program as claimed in claim 37, wherein the oral communication occurs 
during a telecommunications call. 

39. A certification program as claimed in claim 27, including code for executing said 
10 identifying. 

40. An identification process, including: 

receiving a public key of a public/private key pair and identifying information of a 

person; 

1 5 deriving a communicable code from said public key; and 

having said person convey said communicable code. 

41 . An identification process as claimed in claim 40, including comparing a communicable 
code derived from the public key with the conveyed communicable code, and issuing a digital 

20 certificate binding the public key and identifying information when the codes match. 

42. An identification process as claimed in claim 41, wherein said communicable code is 
a limited character string. 

25 43. An identification process as claimed in claim 42, wherein said communicable code is 
generated using a secure one-way hash function. 

44 . An identification process, including: 

generating a communicable code from a public key of a public/private key pair; and 
30 binding said public key to identifying information of a person when said person conveys 

said communicable code. 
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Reg. No .23, 025; Gary S. Williams, Reg. N o. 31,066; R ichard F. Trecartin, Reg. No. 11^801^ Stephen C. Durant 
Reg. N o. 31,506; C. Michael Zimmerman, Reg. No. 20,451; Walter H. Dreger, Reg. No. 24,190^ 



provided that if any one of said attorneys ceases being affiliated with the law firm of Flehr, Hohbach, Test, 
Albritton & Herbert as partner, enployee or of counsel, such attorney's appointment as attorney and all powers 
derived therefrotn shall terminate on the date such attorney ceases being so affiliated. 



Direct ail telephone calls to Michael A. Kaufman 



at (415) 781-1989. 



Address all correspondence to; 



FLEHR, HOHBACH, TEST, 
ALBRITTON & HERBERT 



Sui tg-^ SoVFour Embarcadero Cen ter 
San Francisco, California 94111 



file no. A-70661/MA K 



I hereby declare that all statements made herein of my own knowledge are true and that aLl statements made 
on information and belief are believed to be true; and further that these statements were made with the 
knowledge that willful false statements and the like so made are punishable by fine or imprisonment, or both, 
under Title 18, United States Code, §1001 and that such willful false statements may jeopardize the validity 
of the application or any patent issued thereon. 



name of sole or 
first inventor: 

Inven tor's signature: 

Date; 

Residence: 

Citizenship: 

Post Office Address: 



James Howard MANGER , 



4 



Carlton North- Victoria*. Australia 



^ Australian t 



Flat 6, 623 Drummond Street, Carlton North, Victoria 3054, 



Australia 



l name of second joint 
inventor, if any: 



Inventor's signature: 
Date: 

Res idence: 

Citizenship: 

Post Office Address: 



Edward Andrew ZUK 



: 7 >^ 




Elwood , Victoria, Australia 



Australian 



1 Heat on Avenue, Elwood, Victoria 3184, Australia 



Form No. 1.01 
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